Office Exploit Gets New Life With PowerPoint Variation

Over the past few months, an Office vulnerability has become one of the most popular and efficient ways of delivering malware to vulnerable computers. The vulnerability — tracked as CVE-2017-0199 — was found by McAfee and FireEye employees in April of this year, and was a zero-day at the time of its discovery. In April, attackers were using it to deliver an RTF file to their targets, which when opened would automatically execute an OLE2link object and run malicious code to compromise users’ machines.

At the time, attackers used it to download an HTA file, which in turn, would run malicious JS code and install various payloads. Researchers have seen CVE-2017-0199 used to target pro-Russian separatists in Ukraine in a cyber-espionage campaign, but also to deliver the Latentbot backdoor trojan in financial malware campaigns. Later, the same exploit was used to deliver the Cerber ransomware via spam emails pushing malicious DOC files.

Growing Popularity

Yesterday, both Cisco and Trend Micro spotted new campaigns using this new exploit, confirming its popularity among crooks. The attacks, spotted by Cisco, were from a group that had chained CVE-2017-0199 to CVE-2012-0158, which was 2016’s most popular vulnerability. According to Cisco, this group spread a spam campaign that delivered the same old RTF documents that downloaded an HTA file to install malware. Crooks were trying to deliver either the Ramnit banking trojan or the Lokibot infostealer.

Cisco experts say that most attempts to infect users failed because if the user’s computer was patched against any of the two exploits, the infection attempt would fail. While the first of these new attacks with CVE-2017-0199 were poorly implemented, the second one was quite creative, and malware devs came up with a new way of exploiting the Office flaw.

Solutions For Your Organization

Luckily, all of TSI’s managed clients were already covered as part of April’s Microsoft “Patch Tuesday” which included the first WannaCry Ransomware patch. For our unmanaged clients who elected not to receive this important update, we highly recommend you contact us.